Gallery

Researchers at WithSecure have discovered a spear phishing campaign targeting employees who have access to Facebook Business accounts. The attackers are targeting specific employees, and then sending malware through LinkedIn messages.

“Based on telemetry and investigation conducted by WithSecure, one approach employed by the threat actor is to scout for companies that operate on Facebook’s Business/Ads platform and directly target individuals within the company/business that might have high-level access to the Facebook Business,” the researchers write. “We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted. WithSecure Countercept Detection and Response team has identified instances where the malware was delivered to victims through LinkedIn. These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar.”

Facebook’s parent company Meta told WithSecure that they’re doing their best to stop these scammers, but the ultimate responsibility is on the users to avoid downloading untrusted software.

Meta stated, “We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”

Fresh data on data breach costs from IBM show phishing, business email compromise, and stolen credentials take the longest to identify and contain.

There are tangible repercussions of allowing your organization to succumb to a data breach that starts with phishing, social engineering, business email compromise, or stolen credentials – according to IBM’s just-released 2022 Cost of a Data Breach report. Phishing and social engineering go hand-in-hand, with business email compromise and stolen credentials being outcomes of attacks, used as launch points for further malicious actions.

According to the IBM report, the average cost of a data breach in 2022 is $4.35 million, with an average of 277 days to identify the breach and contain it. That’s actually the good news. Why you ask? Because when you factor in the initial attack vector, it gets worse.

According to IBM, the following are the average data breach costs based on the initial attack vector:

• Phishing – $4.91 million
• Business Email Compromise – $4.89 million
• Stolen Credentials – $4.50 million
• Social Engineering – $4.10 million

Why so much? A lot of it has to do with how long threat actors act undetected as they move laterally within your environment, gain access to credentials and data, and exfiltrate your valuable data.

According to the report, the longest times revolve around attacks that involve your users:

Source: IBM

With the average number of days to detection and containment being 277, it’s evident that stolen credentials, phishing, and business email compromise (the attack vectors your users play a role in!) push those “rookie numbers” up, giving attackers an additional 1-2 month’s time to continue their malicious activities.

Additional takeaways

• Employee security awareness training can cover 49% of the breach types
• Employee training saves USD $247K cost in terms of data breach impact cost (Page 20)
• Breaches in the public cloud were costliest for the organizations that don’t invest in employee training and expect public cloud providers to take care of breaches.

We already know that phishing and BEC attacks focus on either stealing credentials or infecting endpoints, putting the user receiving the malicious email, phone call, text, etc. squarely in the middle of the discussion that results in these massive data breach costs.

Users need to play a role in your security strategy to help mitigate the risk of successful attacks through continual Security Awareness Training that teaches them how to identify suspicious content in email and on the web, helping to avoid any interaction that would result in a data breach.

The Colonial Pipeline ransomware attack of 2021 put infrastructure operators on notice that they were directly in the crosshairs of big ransomware gangs. The reaction of law enforcement seems, however, to have also put the gangs on notice that their ability to operate with impunity isn’t what it used to be. The big criminal operations seem to be breaking up. That’s not because they’ve gone straight. It’s because they’ve realized that they’re more vulnerable than they used to be.

The gang that hit Colonial Pipeline, DarkSide, disrupted the pipeline’s operation, but the FBI was able to claw back most of the ransom Colonial paid and also in turn to disrupt DarkSide’s own operations. In June of 2021, citing the pressure it was under from US law enforcement, the DarkSide group announced that it was closing down its operation.

Another high-profile ransomware gang, Conti, drew a great deal of hostile attention to itself when it announced, in February of this year, that it was firmly in Moscow’s corner with respect to Russia’s war against Ukraine. That didn’t sit well with some of the gang’s sometime collaborators whose sympathies lay with Ukraine, and critics doxed the gang’s internal chatter. The embarrassment (and the risk) were severe enough that Conti, after a last hurrah committed against Costa Rican government networks and resources in May 2022, seems to have begun winding up its operations by the third week of that month. There was more heat than a large criminal gang could withstand.

But the former members and affiliates of big ransomware gangs are evidently deciding that they can strike out on their own, without the specious coverage of a big umbrella group. Recorded Future’s Allan Liska explained to Tech Monitor why this is so. “They know the operations in and out,” he said. “They know how to do the negotiations. They know how to make code adjustments and all that other stuff. So, they’re fine without a big umbrella group to support them.”

And the new splinter gangs think they have an advantage, and that advantage is social engineering. Yelisey Boguslavskiy, of Advanced Intelligence told Tech Monitor, “As one of the actors said during internal communications, ’We can’t win the war on the technology side because we’re competing with companies that have budgets of tens of billions of dollars. We can never win that, but we can win the social side of things.’”

The social side of things is the speciality of new-school security awareness training. Social engineering will be the focus of the new ransomware gangs, and that new-school training can help make them more resistant to their ministrations.

Investigative reporter Brian Krebs reported today that U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.

“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”

Here is the shocker though…

As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.

With so many Boards focused on operations, revenue, strategy, and execution, they completely are forgetting the simple fact that a single cyberattack can bring all that to a screeching halt.

Maybe members of an organization’s Board of Directors don’t care about cybersecurity because it feels very much in the technical weeds. Perhaps it’s because they don’t understand what constitutes a cyberattack. Or maybe it’s because they fail to understand the implications and repercussions of an attack on the business they seek to help grow.

I read an article I wanted to share and summarize from security vendor SentinelOne entitled On the Board of Directors? Beware of These Six Common Cyber Security Myths. In it they highlight some pretty universally-shared misconceptions about cybersecurity that also act as reasons why the Board should be asking the question “how is our cybersecurity stance” at the very same table where they talk about “how was last quarter’s earnings?”

The six misconceptions SentinelOne outlines that Boards often have are:

1. Cybersecurity is only necessary for certain types of businesses – if you’ve been reading our blog, you know cybercriminal groups target every organizations of every geography, industry, and size.
2. You only need software-based security solutions – We have solutions continually updated with AI-based threat intelligence and attacks are still being successful. There are completely malwareless attacks that rely purely on social engineering that security solutions won’t catch. For the foreseeable future, you should expect there will always be some small percentage of attacks that will get through.
3. Software vulnerabilities are too much in the weeds for the Board – While I’d agree, the Board should be having a discussion around the organization’s state of protection against vulnerabilities (think updates, penetration testing, etc.). At very least, the board should be discussing the organization’s state of cyber-readiness – which includes addressing vulnerabilities.
4. Supply Chain attacks aren’t a concern – Attacks on your organization’s supply chain have increased by 51%. It’s not only a concern; it’s now an established initial attack vector, which means the Board needs to be discussing the process by which vendors are selected – something that should include their cybersecurity stance.
5. The Board can’t have an impact on cyber threats – We’ve continually seen budget and focus as named challenges for security pros doing the work. A focus by Boards to prioritize cybersecurity will have a significant impact on the organization’s ability to stop threats.
6. Employees will always be a cyber risk – I’ve covered before that the human element comes into play in 82% of data breaches. This means they increase the threat surface and the organization’s risk of a successful cyberattack. Enrolling every employee organization-wide (including those on the Board!) in Security Awareness Training is a surefire strategy to reduce the likelihood that an employee can play a role in stopping attacks instead of aiding them.

The Board’s job is to strategically manage risk. Usually, the focus is on operational risk. But the modern Board of Directors should be focused on all types of risk – which now includes cyber threats. The misconceptions above are likely just scratching the surface, but they do make the case that Boards today need to expand the discussion to include cybersecurity.

A new wave of social media phishing attacks are now using scare tactics to lure victims into sending their logins.

First, a Twitter phishing attack was reported earlier last week. Threat actors would send direct messages to the victims, flagging the account for use of hate speech. They would then be redirected to a fake Twitter Help Center to input their login credentials.

Then, a Discord phishing campaign was discovered by sending user a message from friends and/or strangers accusing the user of sending explicit photos on a server. The message also included a link, and if clicked would then lead to a QR code. This resulted in the account being taken over by the cybercriminals.

A “Fake Job” scam allows cybercriminals to gain entrance to the network at Sky Mavis, makers of the game Axie Infinity, and eventually take the company for half a billion dollars in crypto.

I shake my head when I read about someone falling for a simple phishing scam with a poorly-written email, the need for a victim-user to open a PDF that then wants you to “log on” to Microsoft 365 first (c’mon, really??!?), and then a bogus logon page (the URL doesn’t even match!!!). But a new scam just reported that took place back in March is much more sophisticated and sinister.

According to The Block, hackers approached Sky Mavis developers via LinkedIn with a lucrative job opportunity at a fake company – including a process that involved multiple interviews and a job offer with “generous compensation.”

The final step in the job process was to download and open a PDF, which was Sky Mavis’ downfall, as it was the host for malware that gave cybercriminals access to the Sky Mavis network and, eventually, Ronin – the Etherium-linked sidechain.

What makes this attack so impressive is the expertise on the part of the cybercriminals around Ronin and blockchain – enough to gain them access to the validator nodes. The attackers got a hold of the private keys belonging to five of the nine validators – enough to steal Sky Mavis’ crypto assets to the tune of $540 million.

I’ve said it before and it’s worth saying again… it only takes one Phish.

Organizations need to have every employee with privileged access (which includes finances, administrative access to IT, and – yes – developers) to undergo continual Security Awareness Training so they can remain vigilant if not second-nature, especially in circumstances when emotions and hope run high and human defenses are down.

A phishing campaign is impersonating the Canada Revenue Agency (CRA) in an attempt to steal Canadians’ personal information, according to Rene Holt at ESET. The phishing emails inform users that they’ve received a tax refund of just under CAD$500. The user is directed to click on a link to a spoofed Government of Canada site.

“Understanding how phishers abuse links in emails, the CRA has taken the wise strategy of not providing links in official correspondence and instead instructing clients to navigate on their own to the official website,” Holt writes. “If, however, you do click on the ‘Interac e-Transfer Autodeposit’ button, you are redirected from a malicious link hosted on istandyjeno[.]hu to the malicious subfolder cra_ca_service hosted on oraclehomes[.]com.”

While the phishing page is a convincing replica, users could recognize the site as a scam if they tried to visit other pages.

“Clicking on ‘Jobs’ simply populates the URL with the value of the id attribute of the HTML element for ‘Jobs,’” Holt says. “Next, if you click on the ‘Proceed’ button on the opening page, the next page asks for your personal information, including your social insurance number, date of birth, and mother’s maiden name – indeed, everything a phisher would need for identity theft.”

Hoult offers the following recommendations for users to avoid falling for these scams:

• “Consider whether the purported sender normally communicates via email in this way.
• “Rather than clicking on links in an email, it is better to navigate manually to the official website of the apparent sender.
• “Check for obvious mistakes in the email. For example, why would the Canada Revenue Agency send you email from guidovedebe@skynet.be?
• “Always be wary of sharing your personal and financial information with any webpage.
• “Familiarize yourself with the CRA scam alerts page, especially with the samples of fraudulent emails impersonating the CRA.”

With nearly every organization experiencing some form of phishing attack, new data suggests these attacks are improving in sophistication, effectiveness, and impact.

At some point, there’s a saturation point where every organization comes to a realization about the reality of phishing attack. And according to the State of Email Security Report from email security vendor Mimecast, we’ve reached it.

In their report, Mimecast asked 1400 organizations about both what they’ve experienced and what they expect in the future around phishing attacks. And the results speak volumes:

• Nearly every organization (96%) has been the target of an email-related phishing attempt in the past year
• 79% of organizations have seen an increase in email volume
• 75% of them are seeing an increase in email-based threats
• 72% of them say the number of email-based threats had risen during the past 12 months
• 52% feel cyberattacks are growing increasingly sophisticated

And these attacks are having a negative impact – for example, those organizations “hurt” as a result of a ransomware attack rose 23%, up to three-quarters in the last year – with 4 out of 10 organizations failing to recover the impacted data.

Mimecast shed some light on where the problem lies, with 95% of orgs citing insufficient funding, only 14% of IT budgets allocated to cyber resilience efforts, and only 23% providing Security Awareness Training on a “regular, ongoing basis.”

From the looks of things, cybercriminals are stepping up their game and organizations are falling behind. And with users not properly (read: continually) trained about the importance to remain vigilant against email-based cyberattacks matched with insufficient funding for cybersecurity initiatives, I’m afraid the trends spelled out by Mimecast are only going to continue.

New insight into what happens during and after a ransomware attack paints a rather dismal picture of what to expect from attackers, your executives, and your operations.

I’d love to tell you that once you get through a ransomware attack, all will be well. But that’s just not the case. According to CyberReason’s Ransomware: The True Cost to Business report, the reality of mid- and post- ransomware attack circumstances are anything but resilient.

Let’s start with the fact that, according to the report, 73% of all organizations have experienced a ransomware attack in the last 12 months. And of those that were attacked, the question of paying whether the ransom was paid always comes up:

• 41% paid to “expedite recovery”
• 28% paid to “avoid downtime”
• 49% paid to “avoid a loss in revenue”

But even after paying the ransom, 80% experienced a second attack and 68% were asked for a higher ransom!

Then there is the aftermath to the organization:

• 54% still had corrupted systems or data
• 37% had to lay off employees
• 35% had a C-level resignation
• 33% had to temporarily suspend business

What’s interesting is that 75% of organizations believe they have the right contingency plans to manage a ransomware attack – a number that hasn’t changed in the last year, according to CyberReason. This data point mixed with the aftermath stats above makes me think of the old adage “The best-laid plans of mice and men often go awry.”

So, while your organization “has a plan” to address ransomware, the only truly effective plan is to attempt to stop it all – a strategy that needs to include empowering your users with Security Awareness Training so they are able to distinguish legitimate email and web content from malicious content intent on kicking off a ransomware attack.